A missing access control check was found in the way Zope Enterprise Objects (ZEO) used to manage remote connections to the Zope server. A remote attacker could use this flaw to execute arbitrary Python code in the context of Zope server.
Created attachment 354876 [details] ZEO patch by Jim Fulton (for both CVE-2009-0668 and CVE-2009-0669)
Public now via: http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html A new release of ZODB is available here: http://pypi.python.org/pypi/ZODB3/3.8.2 (There is also a new development release at http://pypi.python.org/pypi/ZODB3/3.9.0b5.) New Zope releases that include the fixes can be found here: http://www.zope.org/Products/Zope/2.10.9 http://www.zope.org/Products/Zope/2.11.4 http://www.zope.org/Products/Zope/2.8.11 http://www.zope.org/Products/Zope/2.9.11 http://www.zope.org/Products/Zope3/3.1.1 http://www.zope.org/Products/Zope3/3.2.4 http://www.zope.org/Products/Zope3/3.3.3 http://www.zope.org/Products/Zope3/3.4.1
conga (Remote Management System used by Red Hat Cluster Suite) uses zope, but does not ship ZEO/ZODB component and hence is not affected by this problem. zope is currently only part of EPEL5 (2.10.7).
http://koji.fedoraproject.org/koji/taskinfo?taskID=1588264
zope-2.10.9-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.